As eagle-eyed users of LastPass will have noticed, the company recently introduced a cloud backup option for the company’s popular smartphone Authenticator app.
Authenticator implements multi-factor authentication for LastPass and a range of third-party services supporting the Time-based One-Time Password (TOTP) algorithm such as Google, Facebook, Microsoft, WordPress, Dropbox, and so on.
It’s possible to do this from Google’s Authenticator app but, frankly, LastPass is better at it because it offers features such as one-tap push notifications which make using it quick and easy.
However, the convenience comes with a small pitfall for the unwary – what happens if the smartphone running Authenticator tied to a user’s account is lost or stolen?
Because the phone’s subscriber IMEI is paired to the service during enrollment, setting up a new one requires users to go back to square one, which means re-enrolling (or re-instating using backup codes) every single third-party service it was being used with.
What the new cloud backup option offers is a to dodge this hassle by backing up the multi-factor tokens to the LastPass vault in an encrypted state.
Doubtless, a few people will find this alarming – indeed, some do. Backing up multi-factor tokens to one place sounds risky because you are putting the multi-factor eggs in one basket. On the face of it, that goes against the point of multi-factor authentication – which is that there should never be one point of failure.
Or you could argue that putting tokens inside a password manager is no less secure than putting lots of passwords inside a password manager in the first place. Anyone wanting access to the vault will still have to get around both password and multi-factor security to gain access to critical data.
There is one hypothetical difference. If LastPass is somehow compromised for users not using LastPass Authenticator, the attackers have access to all the passwords plus a way of bypassing LastPass’s own multi-factor authentication. What they won’t have without the phone or a reliable man-in-the middle compromise is a way of compromising the subset of sites inside the vault that have multi-factor authentication turned on independently.
In theory – and it’s only “in theory” because the multi-factor backup is secured using the same security as any other LastPass data – anyone using Authenticator with multi-factor backup turned on might lose this defence in the same situation.
In the end, the argument in favour of cloud backup is that it’s a compromise designed to cope with the fact that multi-factor security doesn’t scale well. The technology is great for a handful of sites, but apply it to dozens and it starts to weigh people down in exactly the same way passwords do. Make reinstatement too onerous and people won’t use it at all.
Password managers were invented to manage lots of passwords people couldn’t remember in the same way that authentication apps manage lots of multi-factor systems that eventually slow people down.
LastPass is doing what its users have asked it to do. Security often edges its way forward by making these sorts of compromises without which we must revert to physical tokens, offline databases or paper and pen. As long as LastPass users know they have a choice.
Stuart Rance
“…compromises without which we must revert to physical tokens” – a physical token sounds like a simple and effective way to manage 2 factor authentication.
John E Dunn
I use a token too but it doesn’t support all services. So you end up with sprawl.
Kickedmycat
What was wrong with authy; does the same thing.
It a shame to think all the bullshit about cloud blead, was so over hyped. Last Pas has just made 2FA pointless is your least Pas account is compromised.
simonrwaters
AUTHY does multi-device authentication by SMS by default – easy fail.
Caught one user syncing AUTHY data to his desktop.
1Password also encourages storing 2FA credentials in the vault.
LastPass at least defaults this to off.
But I think we are setting up end users to fail, sometimes less is more.
Kurt Schilling
Your point about what happens if the phone gets stolen is a good one. Personally I don’t use my phone for shopping or for sites that require a USID/PW login. If I did, I don’t think that I’d really trust a cloud based storage of sensitive information. If I have to shop online, I do it from home on a computer that connects via a VPN and even on that machine, I use off line storage for PWs. If you really want safety: perhaps you shouldn’t go online in the first place.
iamsra
Your seem to have a problem securitizing my secrets in your system, for which I’m paying?